Understanding Maines Online Data Privacy Act LD 1822

3/31/2026

Key Provisions for Business Owners

Maine is establishing one of the toughest new standards in the country for digital privacy with the Maine Online Data Privacy Act (LD 1822). For businesses that rely on website analytics, advertising pixels, or behavioral targeting, LD 1822 raises the bar for how data is collected, used, and shared. While the official start date is September 1, 2027, as confirmed by the Maine House Democrats, the operational changes required may be significant for some businesses.

LD 1822 at a Glance

Effective Date: September 1, 2027.
What This Bill Changes: Moves away from broad user data collection and toward data minimization—Businesses must justify every piece of data they collect.
Consumer Rights: Residents gain new rights to delete, correct, and port data, with a strict 45-day response window for businesses.
Heightened Standards: Ordinary data is subject to a "reasonably necessary" test, while sensitive data must meet a higher "strictly necessary" bar.
No Mandatory Warnings for Violations: The Attorney General can skip straight to enforcement and penalties without giving your business a chance to self-correct first.

Who Must Comply with LD 1822?

The law applies to "Controllers" (defined below) conducting business in Maine or targeting Maine residents that, in the preceding year, met one of two thresholds:

Volume Threshold: Controlled or processed the personal data of 35,000 or more unique Maine residents.*
- *Under LD 1822, if you process a Maine resident’s data solely to complete a payment, that individual does not count toward the 35,000-resident threshold. To qualify for this "safe harbor," your data collection must remain strictly functional—limited to details like a credit card number, expiration date, and billing ZIP code used only to authorize a one-time sale. However, the "compliance clock" starts ticking the moment you go beyond that. If you add that customer’s email to a marketing database, use their purchase history for targeted advertising, or share their info with an ad network, they now count toward your 35,000 total. While the law officially takes effect September 1, 2027, businesses have until April 1, 2028, to fix early implementation errors under the Attorney General's discretionary "right to cure."
Revenue Threshold: Controlled or processed data for 10,000 or more residents AND derived more than 20% of gross revenue from the sale of personal data.

Key Terms to Know

Controller (You): The business that decides why and how personal data is collected.
Processor (Your Tools): Third-party service providers that handle data on your behalf (e.g., Shopify, Mailchimp, GA4).
Consumer: Any person who is a resident of Maine.

Prohibited or Strictly Limited Actions

Maine identifies several activities that are prohibited outright or subject to especially strict limits:

Selling Sensitive Data: Businesses are flatly prohibited from selling data related to health status, sexual orientation, race, or precise geolocation.
Tracking Minors: If you know a visitor is under 18, you cannot use their data for targeted advertising or sell their information.
Geofencing: Any data that can locate a person within a 1,750 foot radius (about 6 blocks, or 1/3 of a mile) is legally classified as Sensitive Data. If your app can tell exactly which building a person is in, that is "Precise." If it only knows they are in "Portland" or a certain "Zip Code," that is usually not precise enough to be sensitive. You can only collect this level of detail if it is strictly necessary for your service (like a maps app or a weather app).
- There are additional rules on geofencing around healthcare facilities as well.

See all exclusions under §9602. Definitions here.

Defining Functional Tracking under LD 1822

Compliance does not require sacrificing the core functionality of your digital storefront. Under the new Maine standard, data collection remains permissible when categorized as an "Internal Operation." This classification covers the baseline tools, from error monitoring to load balancing, that ensure a website remains secure, stable, and responsive to user requests.

Here are some examples:

Tracking for Site Error Monitoring: For example, you are allowed to collect data to find and fix technical problems, like broken images or links, 404 page hits, or checkout crashes.
Ad Measurement*: Such as tracking if a user saw your own banner on your own site (like a banner at the top of a retail site promoting an on-site sale).
- Don't forget that remarketing with this and other data is banned unless the user explicitly opted in.
Load Balancing: This is considered strictly necessary to prevent system failures and preserve the integrity of your website infrastructure
First-Party A/B Testing: This is a cookie that remembers if a user was shown "Version A" or "Version B" of a landing page to ensure a consistent experience. Marketers use this regularly to evaluate the types of content that resonate most with their users. This falls under "internal operations" that are reasonably aligned with the expectations of the consumer based on their relationship with your brand.
- The Catch: This data collected of course can't be used to retarget users who visited this page!
Standard Site Analytics (Non-Tracking): These are your baseline analytics used to see which pages on your site are popular, or which pages have high bounce rats. Something like this is allowed since it helps a business to determine if their site is functioning properly and since the focus is not on the customer specifically.
- The Catch: This is only valid if the data remains internal and is not shared with a third party to "predict the consumer's preferences or interests" on other websites.
Page Speed Monitoring: Scripts that measure millisecond load times are justified under the technical repair exemption to ensure the site functions as intended.
User Preference Cookies: Remembering language settings, currency preferences, "Dark Mode" choices, or maybe where you left off on your Netflix show.
Security & Fraud Prevention: Data used to detect identity theft, malicious activity, or protect against unauthorized logins.

Real World Data Collection Exemptions Defined in LD 1822"

E-Commerce Retailer of Physical Goods

Scenario: An online clothing store collects a customer’s home address, email and phone number.

The Justification: This collection could be considered "reasonably necessary" to fulfill a contract (the shipping the order) and provide the product the consumer specifically requested.

Here's the Catch: While they can collect the address for shipping, they cannot use that same data to track the consumer's precise movements across other non-affiliated apps for advertising without meeting higher "Targeted Advertising" requirements.

Telehealth or Medical Appointment Apps

Scenario: A hospital's health app collects a user’s "Consumer Health Data" (such as symptoms, specific health concerns or pregnancy status) to match them with a doctor.

The Justification: Under the law, this is strictly necessary to provide the specific medical service requested by the consumer

Here's the Catch: Because this is "Sensitive Data," the business is prohibited from selling this information to any third party, even if it might be "valuable" to a pharmaceutical company. They must also conduct a Data Protection Assessment because processing health data is a "heightened risk" activity.

Roadside Assistance Services

Scenario: Someone breaks down on the side of the road and needs to get towed. A towing company app, or maybe your car insurance app or AAA may need to collect "Precise Geolocation Data" (your geolocation within 1,750 feet) when a user hits a "Request Tow" button to provide the service they asked for.

The Justification: This is strictly necessary to provide the specific emergency service requested.

Here's the Catch: The app cannot continue to track the user’s location or search behavior after the service is complete for the purpose of "Profiling" or "Targeted Advertising" unless they can prove a separate, specific necessity or obtain new consent.

Note on "Public" Data: Information is not considered "publicly available" if it is sold to third parties, used to build consumer profiles, or used to make inferences about a person’s behavior. Just because info is "out there" doesn't mean it's exempt from these rules.

Steps You Should Take Now

Get a cookie banner set up and configured on your site. This probably seems obvious, but this is the first logical step that needs to be taken. Since cookie banner providers generally charge between $15 - $500+ per month, businesses should take this time to source an appropriate provider. (Contact Us for our recommendation).
Audit your tracking tools. For every script (GA4, Meta, etc.), Answer these three questions: Is this a "sale"? Is this "sensitive" data? Do I have a binding and compliant agreement with this vendor?
- How is a sale defined?: In Maine, a "sale" of personal data is defined as the exchange of personal data for monetary or other valuable consideration. This "valuable consideration" part is the trap for many businesses. It means that if you give a third party (like an ad network or a data broker) access to your customer data in exchange for anything of value—such as better ad targeting, discounted services, or access to their own data insights—it counts as a sale.
- How is sensitive data defined?: Sensitive Data includes highly personal identifiers like your precise GPS location, health conditions, race, religion, sexual orientation, and biometric data. Unlike standard information, you can only collect this data if it is strictly necessary to provide the specific service the consumer requested. Most importantly, Maine creates a "red line" by flatly prohibiting the sale of sensitive data to any third party, regardless of consumer consent.
Observe the “New Use” rule. This essentially means that data collected for one legitimate purpose (like shipping a purchased product) cannot be repurposed for a different one (like marketing) later without fresh, explicit consent.
Prepare for Opt-Out Preference Signals. Your site should be ready to recognize and honor qualifying browser-based signals (like Global Privacy Control) by September 1, 2027.
Make revocation as easy as it is to consent. If your banner makes it easy to "Accept," you're required to make it equally easy to "Opt-Out" or withdraw consent.
Create a 45 day process. If a Mainer requests their data to be deleted or corrected, you have 45 days to respond to that request. Take the time now to ensure you have a system in place to receive, respond, and handle the request to ensure you're compliant.
Update your privacy disclosures. You must explicitly list Retention Schedules and provide enough detail for consumers to understand the business model of any third party receiving their data.
Review processor agreements. Ensure vendor agreements include confidentiality and data collection obligations and clear requirements to return or destroy data when the service ends.

What to do if you Still Collect Consented User Data?

Under LD 1822, businesses are not required to proactively file assessments with the state. Instead, they must conduct and document these assessments internally for any "high-risk activity", such as targeted advertising or processing sensitive data. These records must be maintained on-site and made available to the Maine Attorney General immediately upon request during an investigation.

When it is required: A DPA is mandatory if you engage in targeted advertising, the sale of personal data, or the processing of sensitive data.

What it must show: It must identify the benefits of the activity, weigh those benefits against the risks to consumers (such as unfair discrimination), and demonstrate that the data processing is necessary and proportionate.

Enforcement and the Discretionary "Right to Cure"

While many states offer a "Right to Cure" (which is a mandatory grace period to fix mistakes before being fined) Maine is taking a different, and more stricter path. Under LD 1822, there is no mandatory warning. The Maine Attorney General has the sole discretion to decide whether to provide a 60-day notice of violation. This means the state can move straight to enforcement and penalties without giving your business a chance to self-correct first. Even during the early implementation window (prior to April 1, 2028), a warning is a possibility, not a guarantee.

The Attorney General may weigh several factors before deciding whether to grant a cure period. They may include:

The number of alleged violations.
The size and complexity of the business.
The nature and extent of your processing activities.
The likelihood of injury to the public.
The degree to which the alleged violations affect the safety of persons and property.
Whether the violation was likely caused by a human or technical error.
Your history of previous violations under similar laws.

Businesses interacting with Maine residents should begin taking steps now to audit their data inventories, vendor contracts, and public-facing privacy disclosures.

While organizations already compliant with other state privacy regimes can leverage existing programs, Maine’s unique thresholds and "strictly necessary" standards for sensitive data mean that a "one-size-fits-all" approach is not going to cut it. Because the Maine Online Data Privacy Act offers no guaranteed warning before enforcement, the window between now and the September 1, 2027 effective date is critical. Evaluating your current data footprint today is the only way to ensure your online operations are tailored to Maine’s rigorous new privacy landscape and to avoid immediate exposure when the discretionary "right to cure" period ends.

Resources & Reference Materials

For further reading on the specific language of the Act and its legislative journey, please refer to the following official sources for the most up to date information:

Official Legislation

🔗 Maine State Legislature: LD 1822 Docket The official tracking page for the Maine Online Data Privacy Act, including the bill's history and current status.
🔗 Full Text of the Amended Bill (PDF) The complete statutory language, including the "Data Minimization" and "Strictly Necessary" clauses.

News & Updates

🔗 Maine House Democrats: Official Press Release Coverage of the March 2026 amendments, clarifying the 2027 effective date and the intent behind the law.
🔗 EPIC: Maine Data Privacy Analysis An external perspective on how Maine’s law compares to other "Maryland-style" privacy standards across the U.S.

Note: Legislative links are updated frequently as bills move through the final engrossing process.

Need Website Help?

Privacy compliance is complex; your website doesn’t have to be. Let us handle the technical heavy lifting so you can focus on growing your business.

Get Help Now

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Businesses should consult with legal counsel to determine how LD 1822 applies to their specific data practices.